[00:04.730 --> 00:09.210]  Welcome back to the Career Hacking Village here at DEF CON Safe Mode.
[00:09.310 --> 00:14.930]  Many times when we're talking on social media or on Discord, we're always asking,
[00:14.930 --> 00:20.350]  what is the best career path? And several times people will say, no, this is the way,
[00:20.350 --> 00:25.070]  no, this is the way, no, this is the way. What we can tell you is that there are many
[00:25.070 --> 00:31.750]  different ways. And I'm really excited to have my friend Pablo explain how he sees it
[00:31.750 --> 00:36.410]  and his recommendations on your career path. Take it away, Pablo.
[00:36.830 --> 00:42.430]  Thanks, Kathleen. So this talk is titled, In Theory, There's No Difference Between Theory
[00:42.430 --> 00:48.490]  and Practice. And so where did this come from? First of all, it's normally attributed to Yogi
[00:48.490 --> 00:53.690]  Berra, who dropped other pearls, like when you come to a fork in the road, take it. But this
[00:53.690 --> 01:00.990]  was actually not one of his. So the difference between theory and practice actually, according
[01:00.990 --> 01:06.070]  to Snopes, appeared first in the 1986 book about programming, The Art and Science of Programming.
[01:06.070 --> 01:11.630]  So I thought it was apropos. A lot of times when we talk about how to get into InfoSec,
[01:11.630 --> 01:17.310]  we devolve into this discussion about going to college and learning theory or the school of
[01:17.310 --> 01:21.890]  hard knocks, the learning practice. And so there's always this push and pull between theory and
[01:21.890 --> 01:29.530]  practice. So why are we here? As Kathleen mentioned, about every six months or so,
[01:29.530 --> 01:36.050]  we see these kind of flame wars and discussions pop up on Twitter about how do you get into InfoSec.
[01:36.170 --> 01:43.210]  And it comes from all sides. So you have some people that believe that security is a prestige
[01:43.210 --> 01:50.750]  class and that you have to spend 10 or 15 years on a watch floor or on a call desk before you can
[01:50.750 --> 01:55.790]  join security. And you have some people saying, look, I didn't go to college. I've got a fantastic
[01:55.790 --> 02:00.590]  InfoSec career and I make a ton of money and the college kids seem really upset by that.
[02:01.050 --> 02:05.710]  And the truth is there are many paths and they're all valuable. It's a matter of what you want to
[02:05.710 --> 02:11.510]  get into it and who you are as a person. So I thought it would be best to have a nice balanced
[02:12.070 --> 02:18.590]  discussion on that. So why do we even have these discussions? Why does it matter? Well, we all go
[02:18.590 --> 02:24.490]  through these little life transitions, right? We finish a school, be it high school or college
[02:24.490 --> 02:30.210]  or a trade school, that we have to go out and find work. Many of us serve some time in the
[02:30.210 --> 02:35.110]  military and we have to figure out what we're going to do once we take the uniform off.
[02:35.390 --> 02:41.550]  Some of us have life changes. We get married or we have kids or something in our life changes
[02:41.550 --> 02:46.910]  and we decide that we want to do something else. Or sometimes our careers just go away or we decide
[02:46.910 --> 02:52.050]  we're just dissatisfied with our careers and we want to get into this thing called InfoSec. And
[02:52.050 --> 02:59.710]  how do we really do that? So some disclaimers. First of all, these views are mine and mine
[02:59.710 --> 03:06.570]  alone. They don't belong to my employer. There's an exception to be found for absolutely everything
[03:06.570 --> 03:10.890]  I'm going to say. So if you try to find fault with this talk, congratulations, you will.
[03:10.890 --> 03:16.610]  Again, these are my opinions and what I've experienced. And those opinions are based
[03:16.610 --> 03:22.670]  upon my observations. But I'm also going to freely admit that I have biases. I took a very
[03:22.670 --> 03:27.130]  particular path and I've seen what I've seen and I haven't seen what I haven't seen. And so
[03:27.130 --> 03:34.610]  your mileage may vary. So a little bit about how my path came into InfoSec so that you understand
[03:34.610 --> 03:39.850]  kind of my latent biases. I've been doing this for a little bit. I got access to my first
[03:41.830 --> 03:49.710]  8088 class computer in 1981 and then played with modems and BBSs. In the early 90s,
[03:49.710 --> 03:54.470]  I was a developer for Expert Systems. Those of you that are in AI may know what that is.
[03:54.470 --> 03:58.890]  In 1993, I went through a life change and I decided to join the United States Navy.
[03:58.890 --> 04:06.070]  Got a degree in computer science in 1998. Spent some time at NSA. Got a master's degree in
[04:06.070 --> 04:11.770]  computer science 10 years after my bachelor's. Went back to Cyber Command. Then was faculty at
[04:11.770 --> 04:17.630]  the Navy's postgraduate school teaching master's level computer science and information sciences.
[04:17.950 --> 04:23.370]  Then I went to US Special Operations Command Hacker Makerspace called SoftWorks. And I just
[04:23.370 --> 04:30.210]  finished a PhD in information sciences. Now that said, the picture is a little dated,
[04:30.210 --> 04:35.570]  you might be able to make out that that's actually me with the rest of the school of
[04:35.570 --> 04:42.570]  root. So I have been in the community for quite a while. So with that all being said,
[04:43.090 --> 04:47.870]  we're going to have this discussion. Let's try not to turn it into a flame war.
[04:48.010 --> 04:52.550]  We can disagree, but we should be respectful about how we disagree with each other.
[04:54.990 --> 04:59.190]  So those of us that have been around for a really long time remember the quote-unquote
[04:59.190 --> 05:05.490]  traditional path to an infosec job. There was no cybersecurity degree when I came up and went
[05:05.490 --> 05:12.930]  through college. And so the running joke was that if you wanted to be a computer security expert,
[05:12.930 --> 05:19.930]  and you could either go out and work at a SOC watch floor, become a forensic analyst,
[05:19.930 --> 05:24.490]  and then a lab director, and a chief security officer, and 20 years later, you would be highly
[05:24.490 --> 05:31.410]  paid consultants. Or the hacker method, where you became a hacker, you became a criminal,
[05:31.410 --> 05:35.870]  you got convicted of a crime, and two years later, you were a highly paid consultant,
[05:35.870 --> 05:41.110]  maybe 14 months with good behavior. Those days, unfortunately, or fortunately,
[05:41.110 --> 05:47.770]  depending on your standpoint, may have gone by the wayside. So what are the contemporary paths?
[05:47.770 --> 05:54.010]  How do most of us get into infosec careers this year? Well, there's typically three paths. There's
[05:54.010 --> 05:58.030]  the School of Hard Knocks, there's the certification path, and then there's the
[05:58.030 --> 06:04.210]  college education path. And each of those come with their own pros and cons. And so we should
[06:04.210 --> 06:10.730]  discuss those a little bit. So the first one is the School of Hard Knocks. This is where you kind
[06:10.730 --> 06:17.290]  of teach everything to yourself. It's a very traditional path for hackers, because there used
[06:17.290 --> 06:25.410]  to not be college classes. There used to not be a CEH or a CISSP. You had to go out and read
[06:25.410 --> 06:32.170]  Frack Magazine and read 2600, or go to hacker boards and teach this stuff to yourself.
[06:33.910 --> 06:39.470]  One of the pros is the cost. The cost is essentially free. You only learn the things
[06:39.470 --> 06:43.330]  that you're interested in learning. You don't have to bother with any baseline things you don't care
[06:43.330 --> 06:48.890]  about. It takes the least amount of time before you get to the amount of stuff, before you get to
[06:48.890 --> 06:54.030]  the subjects that you care about. We'll come back to that least amount of time. And you get practical
[06:54.030 --> 06:59.170]  skills now. You learn what you need to solve your problems. And so you become a practitioner
[06:59.170 --> 07:03.530]  immediately. And really, you're only limited by your personal drive and talent. Nobody's going
[07:03.530 --> 07:07.510]  to tell you that you've got to learn about X before you learn about Y. Nobody's going to tell
[07:07.510 --> 07:12.970]  you that you have to spend two years doing this before you go do that. You can just hop right in
[07:12.970 --> 07:19.950]  and do the things that you're interested in doing. So what are the cons? Well, I mentioned time.
[07:20.150 --> 07:25.210]  Least amount of time are the three paths. Well, that depends on how you cut it. Generally speaking,
[07:25.210 --> 07:30.350]  there was a paper called Outliers by Malcolm Gladwell that says, in order to become an expert
[07:30.350 --> 07:35.890]  in any one thing, you have to spend 10,000 hours doing it. So 10,000 hours, if you break it out
[07:35.890 --> 07:42.130]  into eight-hour work days, means 3.42 years, which sounds remarkably like a bachelor's degree,
[07:42.130 --> 07:46.510]  which takes about four years. And when you add summer vacation, and when you add spring break,
[07:46.510 --> 07:53.230]  you're at four years. You can do it faster. And again, your mileage may vary. If you're a very
[07:53.230 --> 07:58.450]  talented, very driven person, you might be able to do it in less time. But it is still a substantial
[07:58.450 --> 08:04.210]  amount of time if you want to become an expert. Typically speaking, when you go through the
[08:04.210 --> 08:09.510]  School of Hardenomics, you're all practice and very little to no theory. And the problem with
[08:09.510 --> 08:15.350]  all practice is that the tools change, and the tactics, techniques, and procedures change,
[08:15.350 --> 08:19.470]  and the approaches change. And if you're not based in a theoretical background,
[08:20.150 --> 08:24.430]  and you're not actively using it, those skills become very perishable.
[08:24.850 --> 08:29.130]  And so if you're not actively using it, you're going to lose it very quickly, and you're going
[08:29.130 --> 08:34.170]  to have to come back and reteach yourself. Employment opportunities. Boutique shops
[08:34.170 --> 08:39.570]  are a good opportunity for you because they're smaller, and they're willing to take a chance.
[08:39.570 --> 08:46.910]  A lot of the boutique shops are started by rock stars in this community, and they didn't take a
[08:46.910 --> 08:51.690]  college education in many cases. They learned through the School of Hardenomics, and so they
[08:51.690 --> 08:56.790]  understand it. Independent consultant is another one. You have to do your own business development,
[08:56.790 --> 09:01.310]  but you can certainly do that. You certainly can get hired by a corporation. The challenge
[09:01.310 --> 09:05.910]  with getting hired with a corporation without a degree is you have to pass the HR check,
[09:05.910 --> 09:12.250]  the human resources check. And the problem with that is the way that the industry has moved is a
[09:12.250 --> 09:16.410]  lot of times, unless you get a personal introduction, you have to go through an automated
[09:16.410 --> 09:20.770]  resume system, and it's looking for certain ticks. And if you don't check one of those ticks,
[09:20.770 --> 09:26.810]  like maybe they require a bachelor's degree, your resume may never get seen by an actual human being.
[09:27.510 --> 09:32.610]  The other issue with the School of Hardenomics is survivability. So when we go through hard
[09:32.610 --> 09:37.510]  economic times, what happens is usually there's an accountant somewhere, an executive somewhere,
[09:37.510 --> 09:45.830]  that wants to cut cost. And the first thing they cut is high cost assets, which don't have a whole
[09:45.830 --> 09:51.630]  lot of background. So it's easy to justify in a business sense, paying somebody with an advanced
[09:51.630 --> 09:59.070]  degree, a large sum of money, because they've got a demonstrated record that the school vouches for
[09:59.070 --> 10:04.190]  it. That may be harder if you learn through the School of Hardenomics, unless you're a name brand.
[10:04.190 --> 10:09.370]  If you're a name brand, then that may be different, but it is something to consider.
[10:10.430 --> 10:15.970]  So here's a fantastic example of an absolute rock star who came up through the School of
[10:15.970 --> 10:21.610]  Hardenomics, Frank Height. So, you know, Frank got started in this earlier than I did. He started
[10:21.610 --> 10:30.670]  with a PDP in 1979 at his home. In 1981, he emancipated and went to go work for Chase Manhattan.
[10:30.750 --> 10:34.950]  Never finished 10th grade. So not only does he not have a college degree, he doesn't have
[10:35.370 --> 10:40.550]  a high school diploma. He's one of the best-read, most educated people I know without any formal
[10:40.550 --> 10:46.870]  education, because he's just a tremendously driven and intelligent individual. In 88,
[10:46.870 --> 10:53.170]  he went to work for the New York Transit Authority, created the emergency 911 system for
[10:53.170 --> 11:02.710]  MCI, went to go work for NAVSEA and SWFPAC, which are Navy entities, found a NSA penetration
[11:02.710 --> 11:10.130]  testing operation in 1997, and became the 10th employee at at stake in 99. And since then, he's
[11:10.130 --> 11:14.950]  founded Leviathan Security, which has a tremendous name in the industry, and he's been a TED speaker
[11:14.950 --> 11:22.070]  times three. So again, no formal education, just a tremendously talented, driven individual
[11:22.070 --> 11:28.530]  with a curious mind. So absolutely, you can do this without certifications, and you can
[11:28.530 --> 11:33.030]  absolutely do this without education, and here's a fine success example.
[11:34.110 --> 11:42.170]  So the other way is certifications. Those have come into vogue of late, and we've all kind of
[11:42.170 --> 11:49.290]  heard the names. There's CEH and OSCP and OSCE and CISSP. And what are all these things? Well,
[11:49.290 --> 11:52.830]  the first thing to be aware of is not all these certifications are created equal,
[11:52.830 --> 11:59.590]  and they're intended for different audiences. For better or worse, if you want to work for the
[11:59.590 --> 12:04.410]  U.S. government, you're probably going to do much better if you have a CISSP, and that's actually
[12:04.410 --> 12:09.610]  true in industry. I've got one. I've got my own thoughts on that certification as compared to
[12:09.610 --> 12:16.330]  other certifications, but it's important for you to weigh what it is that you want to do for a living,
[12:16.330 --> 12:19.990]  what kind of career you want to have, and see if that certification is going to help you get that
[12:19.990 --> 12:26.130]  job or help you become more proficient in what you want to do. Many of the certifications focus on
[12:26.570 --> 12:31.650]  practice with little to no theory, but there's some exemptions. They're vendor motivated. Those
[12:31.650 --> 12:35.870]  certifications are there to make money, right? They want to sell you a boot camp. They want you to pay
[12:35.870 --> 12:40.970]  for the class. They want you to pay to take the certification, and then they want you to pay fees
[12:40.970 --> 12:49.030]  to maintain that certification. There are lots of paths to getting these, but primarily
[12:49.850 --> 12:56.210]  you can take a class, a boot camp, or you can do online and self-teaching by picking up a book.
[12:56.210 --> 13:00.790]  Most of these certifications have books where you can teach yourself the same things, and then
[13:00.790 --> 13:05.170]  your certification exams are tends to be to either proctored exams, which means that you go to a
[13:05.170 --> 13:09.290]  testing facility and they verify you are who you say you are before you take the exam, and then
[13:09.290 --> 13:14.630]  there are online exams. One of the things that does come up, and it was a problem in the past with
[13:14.630 --> 13:20.650]  some of the certifications, is that the online exams, you could actually go out and pay somebody
[13:20.650 --> 13:25.530]  to take the exam in your stead and get the certification. So once that's out, those
[13:25.530 --> 13:31.170]  certifications become less valuable in the eyes of industry, and so just be aware of that.
[13:33.010 --> 13:38.250]  So what, you know, what are the pros of certifications? It's a great boot camp, right? If you're starting
[13:38.250 --> 13:42.310]  at zero and you don't know how to get going, you're going to get lots of practice in a very
[13:42.310 --> 13:47.930]  short amount of time. Most of these boot camps are a couple of days or maybe a week long. Some
[13:47.930 --> 13:53.610]  of them are a little bit longer if it's a program. You're going to go from nothing to functional a
[13:53.610 --> 14:00.690]  very short time. Theory may vary, but typically very little theory in these. If you do a boot
[14:00.690 --> 14:03.790]  camp, you're going to get some lead learning, which means that you're going to have somebody
[14:03.790 --> 14:08.690]  that's ostensibly a subject matter expert to answer your questions. There's going to be defined
[14:09.050 --> 14:13.750]  a progression of knowledge, so if you don't know where to start or where to go next, typically these
[14:13.750 --> 14:18.130]  boot camps will help you out with that. In the certifications, many of them will help you pass
[14:18.130 --> 14:22.370]  an HR check because they're familiar with the vendors, they're familiar with the certifications,
[14:22.370 --> 14:29.130]  and they're familiar with the knowledge you have to demonstrate in order to achieve those
[14:29.130 --> 14:34.630]  certifications. And so in many cases, those automated resume checkers will actually tick
[14:34.630 --> 14:42.730]  the box if you've got the right certifications that they're looking for. So what you're looking
[14:42.730 --> 14:48.350]  at on the screen now is two courses. In the red box is one course, and in the blue box is the other
[14:48.350 --> 14:53.010]  course. And my question for you is, what is the difference? And I'll give you a few seconds here
[14:53.010 --> 15:06.900]  to read it. Good. So both of these are actually courses in exploitation development. One of them
[15:06.900 --> 15:12.260]  is a master's level course, the other one is a course from a vendor that you take in one week.
[15:12.260 --> 15:18.140]  So the master's level course takes 12 weeks, the vendor course takes one week. You're covering the
[15:18.140 --> 15:24.320]  same information. But what you should think about is, if you take it in 12 weeks, are you going to
[15:24.320 --> 15:29.880]  get a much deeper understanding and much more practice than if you take it one week? And I would
[15:29.880 --> 15:34.880]  suggest that, yeah, you will. You know, if you're spending 12 weeks with the material, you're going
[15:34.880 --> 15:39.060]  to spend more time exploring that material and going deeper on it than if you spend one week.
[15:39.060 --> 15:43.680]  That doesn't mean that you're missing out on a whole lot of stuff, you're taking the one week,
[15:43.680 --> 15:47.660]  but just be aware that a one-week boot camp is just going to give you an introduction to all
[15:47.660 --> 15:51.440]  of these subjects. And so you're going to have to go through and spend some of your own time
[15:51.440 --> 15:58.840]  really studying it. So what are some of the cons of certification? So I went out to a well-known
[15:58.840 --> 16:04.300]  vendor, who will remain nameless, and I pulled up the cost for achieving their certification.
[16:04.480 --> 16:11.720]  So their one-week class is $6,200. And then you have to wait a certain amount of time before you
[16:11.720 --> 16:17.340]  can take the certification. And so if you want access to their online labs after the course,
[16:17.340 --> 16:25.760]  it's another $729. So we're up at $7,000. And then each certification attempt is $729. So
[16:25.760 --> 16:32.480]  you're up close to $8,000, and that's if you pass it the first time. If for whatever reason you fail
[16:32.480 --> 16:35.940]  it and you have to go back and take it, well, you're probably going to need access to the labs,
[16:35.940 --> 16:40.160]  and you're probably going to need to pay for another certification event. So that's another
[16:40.160 --> 16:46.640]  $1,500 every time that you fail to pass. And then on top of that, you're going to have to pay to
[16:46.640 --> 16:52.600]  renew this every three to four years. So at $8,000, and we'll talk about the cost of college
[16:52.600 --> 16:58.820]  later, but $8,000 is a substantial amount of money. Not just compared to college, but compared to
[16:58.820 --> 17:04.080]  anything, $8,000 is a substantial amount of money. The other part is, as I mentioned, the certifications
[17:04.080 --> 17:10.020]  tend to be tools-focused. Not always, not all certifications, but they tend to be tool-focused.
[17:10.140 --> 17:14.680]  And so they're perishable, right? If you take a certification and then you don't do that
[17:14.680 --> 17:22.060]  on a daily basis for your job, your skill in that set is going to deprecate. The other thing is,
[17:22.060 --> 17:26.120]  what do they demonstrate? And so there's this ongoing discussion that always happens about,
[17:26.120 --> 17:31.460]  does that demonstrate knowledge or does that demonstrate your ability to take an exam? And
[17:31.460 --> 17:36.980]  different people have their own biases on this. I absolutely know people that could not pass a
[17:36.980 --> 17:41.020]  certification exam that absolutely had mastery of the material. They just couldn't take a test.
[17:41.020 --> 17:45.860]  I've also seen it the other way, where somebody passes the test and they clearly knew nothing
[17:45.860 --> 17:50.720]  about the material. And so there's really a discussion there that happens, and hiring
[17:50.720 --> 17:56.100]  managers will think about this, about does the certification really demonstrate that you know
[17:56.100 --> 18:03.640]  what I need you to know? So let's talk about college. I know that this is a very personal
[18:03.640 --> 18:10.560]  subject for a lot of people. Not all schools and all programs are created equally. If you go and
[18:10.560 --> 18:16.060]  get a computer science degree from MIT, it's going to be very different than if you get a
[18:16.060 --> 18:21.860]  computer science from, you know, maybe a community college or from University of Phoenix or some
[18:21.860 --> 18:28.760]  other schools. Take a look at what the reputation is, not just of the school, but of that particular
[18:28.760 --> 18:34.240]  program in that school. Most of you have never probably heard of University of Texas Dallas.
[18:34.240 --> 18:38.620]  They happen to have one of the top-ranked schools for computer science in the country.
[18:38.620 --> 18:44.200]  University of California Santa Barbara has one of the top-ranked schools for cyber security-based
[18:44.200 --> 18:48.980]  computer science. So really take a look at the programs, take a look at the schools,
[18:48.980 --> 18:56.120]  and realize that they're not all created equal. Most of the colleges will focus on theory with
[18:56.120 --> 19:00.540]  varying levels of practice. And again, that is a question that you should ask when you're
[19:00.540 --> 19:05.020]  considering a school in a program. How much is this theory and how much of this is practice?
[19:06.000 --> 19:09.940]  Then the other question you want to ask is, do I want to just study? Do I want to become a
[19:09.940 --> 19:14.080]  full-time college student or do I want to work and study? Now some of us, we're not going to have
[19:14.080 --> 19:18.900]  that option. Our life situations are such that we've got people that depend on us, we've got
[19:18.900 --> 19:25.280]  dependents, and so we're going to have to work and study. And that's okay, but for those of us
[19:25.280 --> 19:30.440]  that have the choice, we've got to balance possibly taking larger loans out to concentrate on our
[19:30.440 --> 19:35.680]  studies, vice taking smaller loans out, and working and studying. And that's very much a
[19:35.680 --> 19:40.900]  personal choice. Job placement. If you're going to go to a college, you should find out if they're
[19:40.900 --> 19:46.480]  going to help you get a job afterwards. College degrees are not cheap, they're very expensive,
[19:46.480 --> 19:52.960]  and so getting the degree shouldn't be where your college stops. Your college or university
[19:52.960 --> 19:59.620]  should help you with job placement afterwards. And then there's a value proposition versus cost.
[20:00.180 --> 20:08.140]  If you... getting a college degree in something that is not marketable is a personal choice. So
[20:08.140 --> 20:13.800]  really, if you want to work in InfoSec, you know, that history degree may or may not help you. And
[20:13.800 --> 20:17.920]  we'll talk more about unrelated degrees either. But if you know you want to work in InfoSec,
[20:17.920 --> 20:24.680]  perhaps you want to consider cybersecurity or an IT or a computer science degree.
[20:25.170 --> 20:30.940]  But there are other degree paths. You can either get an unrelated degree and get into InfoSec,
[20:30.940 --> 20:36.880]  or you can get a related degree and get into InfoSec. And those have their own pros and cons.
[20:36.980 --> 20:42.140]  And I'll show you an example of somebody that has an unrelated degree and has a fantastic InfoSec
[20:42.140 --> 20:49.860]  career. So the pros of colleges is that all industries and all companies recognize bachelor's
[20:49.860 --> 20:55.480]  degrees and master's degrees and PhDs. They're resilient, they tend to be theory focused,
[20:55.480 --> 21:02.060]  which moves at a much slower pace than practice. And so the tools change, the theory very rarely
[21:02.060 --> 21:07.000]  does. But if you've got a degree in that field, you're going to get that HR pass. If they're
[21:07.000 --> 21:11.420]  looking for a bachelor's degree, I'm not aware of someone that says, well, you've got a bachelor's
[21:11.420 --> 21:15.220]  degree, but it's not the right bachelor's degree, and therefore we're not going to take you.
[21:15.220 --> 21:19.460]  Job survivability, I talked about when we hit hard economic times,
[21:19.460 --> 21:25.320]  the people with degrees that are working in a field with their degree tend to be more survivable
[21:25.320 --> 21:29.640]  than the people that don't have degrees that are working in a field. Right, wrong, or otherwise,
[21:29.640 --> 21:35.480]  that's just kind of how it happens. It's a non-perishable skill, right? Again, I talked
[21:35.480 --> 21:40.560]  about the 10,000 hours to become an expert, 3.42 years, that's roughly the amount of class time
[21:40.560 --> 21:46.780]  that you're going to spend getting a bachelor's degree. Writing, writing is absolutely critical.
[21:46.780 --> 21:50.200]  I'll talk more about that. You're going to spend a lot of time writing in college.
[21:50.440 --> 21:54.980]  You can be the best penetration tester in the world, but you have to be able to communicate
[21:54.980 --> 22:00.220]  your findings in writing. And if you can't do that, you're probably not going to be hired back.
[22:00.980 --> 22:05.940]  Non-related courses, is that actually a benefit? I actually believe it is.
[22:06.580 --> 22:10.820]  It's easy for us to learn things that we're interested in within our chosen major. It is
[22:10.820 --> 22:15.120]  much harder to pay attention, learn things that we're not familiar with and we're not good at.
[22:15.380 --> 22:19.360]  But learning is like anything else. The more you practice at learning, the better you become at
[22:19.360 --> 22:24.800]  learning. And so as you're asked to learn new things throughout your career, it actually becomes
[22:24.800 --> 22:31.900]  easier to learn things the more you've practiced it. And then cost, it may or may not be a pro.
[22:31.900 --> 22:36.380]  Again, that depends on how you choose to fund your college education. If you use
[22:37.560 --> 22:42.500]  grants and scholarships, then cost is probably not prohibitive. But you also have to make some
[22:42.500 --> 22:47.340]  lifestyle choices about how you want to live while you're going through college. Otherwise,
[22:47.340 --> 22:52.440]  you're going to end up racking up a lot of debt that may or may not be a good value proposition.
[22:56.260 --> 23:00.620]  So writing and unrelated courses. Writing is absolutely critical for success. That's
[23:00.620 --> 23:06.440]  not just me saying that's Lenny's ulcer. Lenny's ulcer, among various and sundry other things,
[23:06.440 --> 23:12.800]  is a fantastic SANS instructor. And he teaches the reverse engineering of malware. And he says,
[23:12.800 --> 23:16.360]  listen, if you want to excel in information security, you've got to have strong writing skills.
[23:17.480 --> 23:24.840]  Often these things are ignored. Many of us don't like to write. I am not a fan of writing. I'm not
[23:24.840 --> 23:28.860]  going to sit there and practice writing. I don't do short stories or any of those things. I know
[23:28.860 --> 23:33.320]  lots of people do and I envy them. It is something that I've had to work very hard at.
[23:33.600 --> 23:37.720]  Most of us in this field tend to ignore writing because we're more interested in the technical
[23:37.720 --> 23:43.600]  skills. But just like technical skills, writing requires practice. And so if you go to college
[23:43.600 --> 23:47.700]  and you're forced to take unrelated classes, you're going to be forced to practice writing.
[23:48.240 --> 23:52.600]  And it's one of those things that if you're not going to do it on your own, you need to find
[23:52.600 --> 23:56.640]  somebody that's going to force you to do it. This may help you do it. The other thing is that
[23:57.300 --> 24:03.120]  understanding other fields helps you explain things. Very rarely are we going to do InfoSec
[24:03.120 --> 24:08.560]  for the sake of InfoSec. Normally we're going to do InfoSec for the sake of a company. That company's
[24:10.280 --> 24:15.120]  mission may not be InfoSec. It may be a bank. It may be an educational institution. It may be
[24:15.120 --> 24:19.680]  an engineering institution. And if you can't understand what it is that that company does,
[24:19.680 --> 24:23.280]  you're probably not going to be able to communicate very well why they should be
[24:23.280 --> 24:30.990]  concerned about InfoSec. So what are the cons? Well, cost, right? You have to be cognizant of
[24:30.990 --> 24:37.670]  the financial cost of college. College is definitely not cheap. You have to think,
[24:37.670 --> 24:43.150]  make some choices about how you're going to live. You have to discuss, think about the applicability.
[24:43.690 --> 24:47.270]  Unrelated courses are going to be required. Listen, any degree that you get, you're going to
[24:47.270 --> 24:50.950]  have to take English Composition, and you're probably going to have to take History, and
[24:50.950 --> 24:55.870]  you're probably going to have to take College Math. It's something we all kind of suffer through,
[24:55.870 --> 25:03.510]  but you're just going to have to do that. The baseline related courses are good because that's
[25:03.510 --> 25:07.750]  where you get your introduction to theory, but they tend to be not very exciting. For those of
[25:07.750 --> 25:12.550]  us that love this stuff, we already kind of know how to program in Python, right? We don't really
[25:12.550 --> 25:17.230]  need an Intro to Python class, but the college is going to probably require that if you're taking
[25:17.230 --> 25:22.610]  Computer Science, and so you're just going to have to suffer through it. One of the criticisms
[25:22.610 --> 25:27.850]  is that college is not practical. They tend to be a little bit behind, and that's true in many
[25:27.850 --> 25:31.470]  programs. They're not keeping up with the latest and greatest because they're not trying to teach
[25:31.470 --> 25:36.150]  you practice. In many cases, they're trying to teach you theory, which moves at a much slower pace.
[25:36.330 --> 25:42.570]  The other problem is time. College requires a significant time investment. Even if you're a
[25:42.570 --> 25:46.170]  full-time student, it's probably going to take you three or four years to finish a bachelor's.
[25:46.170 --> 25:50.570]  A master's is going to take you, even if you're a full-time student, probably two years.
[25:51.930 --> 25:57.910]  So, let's talk a little bit about the cost. This is the average cost as pulled from an
[25:57.910 --> 26:04.810]  independent journalist for a university. So, a public two-year in-district is $3,400.
[26:06.830 --> 26:12.590]  A public four-year is $9,000. Now, if you remember a few slides ago, we talked about certifications,
[26:12.970 --> 26:20.950]  and a one-week class in a certification tent was $8,000. So, for $1,000 more, you get to spend
[26:21.750 --> 26:29.810]  an entire year at a university becoming a dedicated learner. So, what's the value proposition there?
[26:29.870 --> 26:32.790]  If you're going to go to an out-of-state school, yeah, it's going to be a lot more expensive,
[26:32.790 --> 26:37.730]  right? You're looking at, on average, $24,000. And if you go to a private university, you're
[26:37.730 --> 26:43.890]  looking at $32,000. So, these are all things to keep in mind. Maybe the best option is not to move
[26:43.890 --> 26:49.090]  far away from home, unless you're chasing a particular school and a particular program,
[26:49.090 --> 26:54.990]  because they really teach the things exactly that you want to learn, or they have good insight in
[26:54.990 --> 27:00.330]  the industry that you want to go. If you want to work in Silicon Valley, absolutely go to a
[27:00.330 --> 27:04.150]  University of California school, right? Because they're there, and they have established relationships.
[27:05.850 --> 27:10.570]  But these are just the costs for tuitions and fees. These don't include things like
[27:11.070 --> 27:14.870]  your living expenses. They don't include things like your meal plans, and they don't include
[27:14.870 --> 27:19.450]  things like your books. Let's have a little bit of a discussion about reducing cost.
[27:19.950 --> 27:26.110]  This is a mock-up of my dorm room. Actually, that's not quite true. This is a mock-up of
[27:26.110 --> 27:32.930]  the dorm room after they remodeled it after I graduated. It looks pretty much like a prison.
[27:32.930 --> 27:37.870]  I lived a very spartan lifestyle, but because I did that, I incurred very little... actually,
[27:37.870 --> 27:42.870]  in my case, I incurred no cost. But if you want to have a really nice apartment, and you're a
[27:42.870 --> 27:47.630]  full-time student, and you're not working, recognize that your lifestyle is going to go on
[27:47.630 --> 27:53.670]  your student goals, and so that's going to drive up your cost. And so, while I fully recognize that
[27:53.670 --> 27:59.870]  college is expensive, I often question when people say, well, I've got a hundred and some odd
[27:59.870 --> 28:04.630]  thousand dollars of debt for going to school, and I ask if they lived in a dorm, and they show me
[28:04.630 --> 28:10.590]  pictures of this fully laid out apartment with giant screen TVs. Delayed gratification is a
[28:10.590 --> 28:15.150]  thing. If you don't want to incur a lot of cost while you're in college, you may want to cut back
[28:15.150 --> 28:24.020]  your living expenses a little bit. So, commons of college, you know, the applicability, you're
[28:24.020 --> 28:27.300]  going to be taking a lot of unrelated courses. You're still going to have to pay for those
[28:27.300 --> 28:34.780]  courses. Again, they're tangentially related. Practice varies. Not all programs provide you the
[28:34.780 --> 28:39.840]  same amount of practice, and not all schools are the same, right? Contact hours with your professors
[28:39.840 --> 28:46.920]  and your instructors matter. Faculty that have been in the real world and really are subject
[28:46.920 --> 28:51.760]  matter experts matter. One of the things I will tell you is you are going to meet a lot of faculty
[28:51.760 --> 28:56.140]  members at some schools that have never been in the real world. They've spent their entire life
[28:56.140 --> 29:02.940]  in academia, and so their view of industry and what's needed to succeed in industry is going to
[29:02.940 --> 29:08.840]  be very different than someone who has spent some time in industry doing it. Usually, you get
[29:08.840 --> 29:15.320]  good, fast, or cheap. Choose two. With universities and college education, it's normally choose one.
[29:15.680 --> 29:21.720]  There are some that are good and cheap, but that's rare. You really have to be lucky
[29:21.720 --> 29:28.060]  enough to be living close to a school that has a good program, but they're definitely not fast.
[29:28.060 --> 29:31.500]  If it's fast, there are some schools out there that are online, and they will tell you that you
[29:31.500 --> 29:35.900]  can get a master's degree in one year. It's probably not going to be cheap, and it's probably
[29:35.900 --> 29:40.520]  not going to be good. Let's be honest about that. So, go into it with your eyes open. The other
[29:40.520 --> 29:45.380]  thing that you see is a lot of schools are going to advertise that they're NSA
[29:45.380 --> 29:50.980]  Academic Centers of Excellence. I will tell you, having taken two schools through that certification
[29:50.980 --> 29:57.800]  program, that that certification is absolutely worthless. It is not that hard to get accredited
[29:57.800 --> 30:05.720]  as an NSA Academic Center of Excellence, and it's a paperwork drill. The NSA asks schools
[30:05.720 --> 30:12.280]  to make sure that they teach certain things, and if they have one slide on one course that mentions
[30:12.280 --> 30:18.800]  that subject, then they get to claim that they taught it. That is really not what NSA and
[30:18.800 --> 30:25.120]  Cyber Command were after. So, I would not really consider that Academic Center of Excellence
[30:25.120 --> 30:29.040]  certification for a school as worthwhile. Don't buy that.
[30:31.240 --> 30:37.360]  So, another con is the applicability. I used to teach not just at the graduate level, but at the
[30:37.360 --> 30:42.480]  undergraduate level, and I happened to teach one of the last classes that my undergraduates took
[30:42.480 --> 30:48.300]  before they graduated. And many, many, many of my students would come to me and go,
[30:48.300 --> 30:52.700]  hey, listen, you know, Professor Brewer, loved your class. It was great. I'm about to graduate
[30:52.700 --> 30:57.700]  with a degree, a bachelor's degree in computer science. I don't feel qualified to do anything.
[30:58.380 --> 31:03.920]  Congratulations, you're not alone. We all feel that way. If you spend any time in InfoSec,
[31:03.920 --> 31:08.280]  you're just going to get used to the imposter syndrome. I still have it. Many of the people
[31:08.280 --> 31:13.940]  up on stage today are still going to have it. But what you need to realize is that having a
[31:13.940 --> 31:17.000]  bachelor's degree doesn't demonstrate that you're an expert in something.
[31:17.000 --> 31:22.060]  A bachelor's degree demonstrates that you're capable of being taught and learning new things.
[31:22.280 --> 31:25.640]  And so your employers know that. Because you've got a bachelor's degree in computer science,
[31:25.640 --> 31:29.560]  they don't expect you to hop in and be an expert programmer. They expect that when they stick you
[31:29.560 --> 31:34.040]  with a more seasoned senior programmer, that they're going to be able to teach you the things
[31:34.040 --> 31:38.860]  that you need to do to accomplish your job there. A master's degree doesn't mean that
[31:38.860 --> 31:42.680]  you're a master of your trade. It absolutely does not. What it means is that you're capable
[31:42.680 --> 31:48.820]  of teaching yourself. If you don't know something and you're asked to do it, you're capable of going
[31:48.820 --> 31:54.920]  out and finding resources and teaching yourself. And a PhD absolutely doesn't mean that you're an
[31:54.920 --> 31:59.600]  expert in anything. What it means is that you're capable of conducting independent scientific
[31:59.600 --> 32:06.700]  research. So a lot of people do ask me, because I've just gotten one, should I get a PhD? And my
[32:06.700 --> 32:13.580]  answer to this is, you should only get a PhD for three reasons. The first one is, if you want to
[32:13.580 --> 32:18.940]  work in academia, if you want to be a university professor, absolutely go get a PhD. There's a
[32:18.940 --> 32:25.640]  hardcast system in there about tenure-track PhDs and non-tenure-track PhDs and then lecturers.
[32:25.640 --> 32:31.320]  The other reason is, if you want to do research, professional research, for your career,
[32:31.320 --> 32:39.740]  go get a PhD. And the last reason to get a PhD, which was my reason, was I just wanted one.
[32:40.500 --> 32:45.360]  Does it really help your career? It's arguable. I would say most cases the juice is probably not
[32:45.360 --> 32:51.020]  worth the squeeze on that one. It was just a personal goal I'd set for myself for reasons
[32:51.020 --> 32:55.700]  that, well, I'm just not going to get into. But just be aware of what those degrees are supposed
[32:55.700 --> 33:03.980]  to demonstrate. None of these demonstrate that you're an expert. So unrelated degrees,
[33:03.980 --> 33:08.880]  everybody needs InfoSec, right? It doesn't matter if you're a book publisher, if you're a bank,
[33:08.880 --> 33:15.780]  if you're a manufacturer, if you run industrial plants. All these things right now run on IoT
[33:15.780 --> 33:23.700]  and computers, and so they all need InfoSec. And taking these unrelated courses helps you
[33:23.700 --> 33:29.740]  learn the language of non-InfoSec people. If you're an InfoSec person and you go talk to your
[33:29.740 --> 33:36.820]  boss at a bank about IP addresses and ROP, and they're just going to run you out of the room.
[33:36.820 --> 33:40.600]  They pay you good money so they don't have to hear that language. They want to know,
[33:40.600 --> 33:44.540]  you know, what do I gain, what do I lose, what does it cost, and why do I care?
[33:44.540 --> 33:49.680]  So you're going to have to translate the geek speak and the InfoSec to business processes
[33:49.680 --> 33:55.100]  and thought processes of executives. Baseline courses, regardless of degree, are going to be
[33:55.100 --> 34:00.820]  the same. It doesn't matter if you're going to get a bachelor's in history, a bachelor's in women's
[34:00.820 --> 34:05.360]  studies, a bachelor's in computer science, or a bachelor's in electrical engineering.
[34:05.460 --> 34:10.140]  You're all going to have to take college math. You're all going to have to take English composition.
[34:10.400 --> 34:14.560]  Those baseline courses are the same, and they're meant to be a good foundation for the rest of your
[34:14.560 --> 34:19.120]  learning. I mentioned writing practice. You're going to get a lot of writing practice, regardless
[34:19.120 --> 34:24.460]  of your degree. That writing is important. It's actually critical. I would say in many cases,
[34:24.460 --> 34:29.180]  it's at least as critical, if not more critical, than your technical knowledge.
[34:30.040 --> 34:34.400]  But if you're going to get an unrelated degree and you want to work at InfoSec, at some point
[34:34.400 --> 34:39.000]  you're going to have to come back and either get some training or some education on the tech side.
[34:39.400 --> 34:43.080]  You can't just hop in from a history degree and decide that you're going to be
[34:43.680 --> 34:48.060]  an InfoSec analyst without going back and actually understanding what some of the InfoSec
[34:48.060 --> 34:52.320]  language means and understanding something about how computers and networks work.
[34:53.300 --> 34:58.980]  So, you know, here's a fantastic example of somebody that's successful with an unrelated
[34:58.980 --> 35:04.400]  degree. Tracy Malief, many of you know her, InfoSec Sherpa. She's got a bachelor's in history
[35:04.400 --> 35:10.320]  and she's got a master's in library sciences. She spent 10 years working as a librarian,
[35:11.100 --> 35:17.780]  then was a cyber analyst at Glasgow SmithKline, got her first InfoSec certification in 2017,
[35:17.780 --> 35:24.920]  and in 2019 she became an InfoSec analyst for New York Times. So library sciences doesn't seem like
[35:24.920 --> 35:31.360]  it's a related degree. However, what it taught her to do was how to do research very, very well.
[35:31.360 --> 35:36.700]  She's certainly a much better researcher than I am, and it taught her how to write exceedingly
[35:36.700 --> 35:43.240]  well. And because of that, she's been tremendously successful, not only in the hacker community,
[35:43.240 --> 35:48.340]  but as a professional InfoSec analyst. So absolutely, all degrees are valuable,
[35:48.340 --> 35:53.520]  and you certainly can work in InfoSec if you have an unrelated degree.
[35:55.780 --> 36:01.100]  So Immanuel Kant said that experience without theory is blind, but theory without experience
[36:01.100 --> 36:06.140]  is mere intellectual play. And it's true. You need both. You need a little bit of theory,
[36:06.140 --> 36:10.340]  and you need a little bit of experience and practical knowledge if you want to be successful.
[36:10.340 --> 36:14.860]  Otherwise, you're really just a one-sided professional. So you need a bit of both.
[36:16.680 --> 36:21.820]  So great. I've got more questions about this. Where can I go for learning and networking
[36:21.820 --> 36:26.080]  resources? Well, congratulations. If you're listening to this, you're already doing that.
[36:26.240 --> 36:31.000]  DEF CON and hacker conferences and hacker collectives are great insight. It's a great
[36:31.000 --> 36:36.980]  place to meet people that may be doing things that you're interested in, or that have good and
[36:36.980 --> 36:44.000]  bad experiences to share with you on their path. Makerspaces, there are makerspaces throughout the
[36:44.000 --> 36:48.840]  country and throughout the world. Lots of professionals have a passion for InfoSec and
[36:48.840 --> 36:53.400]  what they do that are willing to share their experiences and share their knowledge for
[36:53.400 --> 37:00.080]  little or no cost. Capture the flag exercises are great. One of the things I often hear is,
[37:00.080 --> 37:04.220]  I don't feel like I know enough to do capture the flag exercises. That's great. If you knew how to
[37:04.220 --> 37:09.400]  do the capture the flag exercise, it wouldn't be fun. So what I would say is go out there and try
[37:09.400 --> 37:14.680]  it and figure out what you can figure out. And what you can't figure out, go back a week later.
[37:14.680 --> 37:18.380]  What you're going to see is that the teams that did well did write-ups on how to solve the
[37:18.380 --> 37:22.740]  challenges. And that's going to give you insight into not only how to solve the challenges,
[37:22.740 --> 37:27.700]  but subjects that you may want to go back and learn more on. Mentors and mentees,
[37:27.700 --> 37:34.280]  everybody needs a mentor. I've got several. And I learned a lot from my mentors. Here's a
[37:34.280 --> 37:38.280]  hidden trick, though. I learned far more from my mentees than I learned from my mentors.
[37:38.280 --> 37:42.520]  They often ask me questions that I go, you know what, I actually have no idea, and I have to go
[37:42.520 --> 37:48.100]  back and research it. And I have to learn it well enough to explain it to my mentee. So both being
[37:48.100 --> 37:53.160]  a mentor and a mentee is a great way to learn things. There are lots of free online training,
[37:53.160 --> 38:00.500]  everything from YouTube to online classes to Khan Academy. Hacker cons, you can attend or
[38:00.500 --> 38:05.820]  you can volunteer. Attending is always great because you get to go to ideally all the talks
[38:05.820 --> 38:10.680]  that you want to do. Hidden trick of mine is to volunteer at the cons. I've been doing it for a
[38:10.680 --> 38:15.340]  long time. Particularly if you volunteer for speaker operations, you get a lot of one-on-one
[38:15.340 --> 38:19.500]  time with the speakers. You get to ask questions without anybody else in the room. So that's
[38:19.500 --> 38:26.800]  really, really great. For military members that are leaving, there's a program called Skill Bridge
[38:26.800 --> 38:33.000]  where you can go get an internship for six months at a company. That company doesn't pay your salary.
[38:33.080 --> 38:37.400]  The DOD pays your salary. So they get a free intern. You get free job experience. You get to
[38:37.400 --> 38:41.840]  try out that company and decide if you really want to get hired there. So that's a great deal.
[38:41.840 --> 38:48.440]  For college students and for people taking either the School of Hard Knocks or the certification
[38:48.440 --> 38:54.860]  path, go get an internship, either paid or unpaid. Internships are great. Not only do they let you
[38:54.860 --> 39:01.000]  gain some skills, they let you learn about the company. That lets the company learn about you.
[39:01.000 --> 39:04.840]  And oftentimes you get a job, not because you submitted a resume, but because you have a
[39:04.840 --> 39:11.180]  personal relationship with somebody in a company. Professional organizations, ISC Squared, ISACA,
[39:11.180 --> 39:16.640]  all of those tend to have monthly meetings. Those are great. Go network. Go talk to people.
[39:16.640 --> 39:21.500]  They will give presentations. If you want to know how they got to learn about what they learned,
[39:21.500 --> 39:26.400]  they will tell you. Oftentimes they're happy to do that. Boot camps and lunch and learns,
[39:26.540 --> 39:30.640]  a lot of organizations will offer boot camps and lunch and learns for free in some cases because
[39:30.640 --> 39:34.580]  they want you to sign up for their paid classes later. But you don't have to. You can go for an
[39:34.580 --> 39:40.780]  hour and learn about Network Recon or OSINT or whatever it is that they're talking about.
[39:40.780 --> 39:47.240]  So lots of free resources out there. So at the end of this, what's the best solution?
[39:47.400 --> 39:53.300]  It's a choose your own adventure. If you want to be a ninja, do all three paths. Do some
[39:53.300 --> 39:58.600]  experimentation on your own. Go through the school of hard knocks, get some certifications,
[39:58.600 --> 40:04.960]  take some college classes, get a degree, but choose a path and start on it. Journey of a
[40:04.960 --> 40:10.800]  thousand steps. You have to take that first step. What you should consider is what are your goals
[40:10.800 --> 40:14.600]  when you start on this journey? What is your next goal that you want to achieve? And how can you
[40:14.600 --> 40:21.500]  best get there given your timeline, your finances and your goals? So there is no wrong path. There
[40:21.500 --> 40:25.260]  are pros and cons to all of them. Eventually, if you want to be professional, you're going to find
[40:25.260 --> 40:30.100]  out that you've done all three. And so it's really just a matter of which path do you want to start
[40:30.100 --> 40:37.340]  on first? There is no wrong path. So with that, thanks so much for your time and I will be on the
[40:37.340 --> 40:44.200]  discord if you have questions. Have a great day. Pablo, thank you so much for all of that. Just
[40:44.200 --> 40:50.480]  sort of great overview because as you said, we tend to have this discussion and everyone camps
[40:50.480 --> 40:58.460]  in my way is right or my way is right. And it really is. Everyone needs to customize their own
[40:58.460 --> 41:05.460]  career path and take bits and pieces. And depending on your finances, where you are in life,
[41:05.460 --> 41:11.320]  all of it. And that's what's so great about the industry is that we have so many resources.
[41:11.320 --> 41:18.860]  We have so many role models. We can craft our own path. And employers are also starting to
[41:18.860 --> 41:24.200]  really realize that experience over certifications. But it's going to change
[41:24.200 --> 41:30.800]  depending on the employer. I really appreciate you pulling this presentation together and also
[41:30.800 --> 41:37.080]  all your great comments to people's questions in discord. I want to remind everyone that we're
[41:37.080 --> 41:44.120]  doing resume review and career coaching all day Friday and all Saturday afternoon. You need to
[41:44.120 --> 41:49.460]  sign up in the discord channel. Pablo, thank you so much. I can't wait to be able to hug you in
[41:49.460 --> 41:53.320]  person. Thanks, Kathleen. Looking forward to seeing you. Take care.
